Is one of Anonymous or Windows Authentication really required for IIS when hosting an ASP.NET CORE application

mx flag

I have an ASP.NET CORE application hosted in IIS. The application uses OAUTH/OIDC for authenticating API requests. I have observed that if neither Anonymous nor Windows Authentication is activated then requests are rejected by IIS and do not make it through to the application (even though to the Authentication Header is set for Bearer). If I enable Anonymous Authentication then the requests pass through to the application for authentication according to OAUTH/OIDC.

I believe that in the case of a classic ASP.NET application hosted in IIS than even though both Anonymous and Windows authentication were NOT enabled, requests still pass through to the application.

Can the community please confirm this - must I activate Anonymous mode in IIS or am I missing some other configuration?

Our IT admin policy is to not allow Anonymous Authentication in IIS (this is a problem as we migrate our ASP.NET Core applications to OIDC and away from Windows Authentication)

Lex Li avatar
vn flag
No. Even for classic ASP.NET apps, anonymous authentication is required.
djdomi avatar
za flag
correctly, any service needs to have either a known or a unknown user, but can't handle non user requests. the same thing would be if you would try to use a fileshare

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.